IT Professionals Say Employees Ignore Security Rules

By Nathan Eddy |
Posted 2013-04-23

The vast majority (81.4 percent) of IT security staff think that employees tend to ignore the rules that IT departments put in place, and more than half (52.2 percent) of the same respondents said they believe that employees would not listen more even if IT directives came from executive management, rather than IT, according to a survey by identity management and security management specialist Lieberman Software.

The survey, which was carried out in February at RSA Conference 2013, measured the attitudes of nearly 250 IT security professionals and the way their organizations manage cyber-security. Nearly 50 percent of the respondents work in organizations with more than 1,000 people. More than 70 percent of IT security professionals would not be willing to bet $100 of their own money that their companies will not suffer a data breach in the next six months.

"These figures highlight the fact that IT security professionals realize that most organizations are woefully unprotected against cyber-attacks. While vendors of conventional security products—like firewalls and antivirus—are constantly updating their tools to reactively protect against the latest threats, hackers are looking for flaws and engineering new attacks to exploit them," Philip Lieberman, president and CEO of Lieberman Software, said in a statement. "The reality is that 100 percent protection is nearly impossible to achieve, but there are still best practices for securing access to critical systems and data that many organizations tend to ignore."

Just over three-quarters (75.8 percent) of IT personnel said they think that employees in their organization have access to information that they don't necessarily need to perform their jobs, and while 38.3 percent of IT security personnel have witnessed a colleague access company information that he or she should not have access to, more than half (54.7 percent) of those respondents did not report their colleagues who accessed that information.

"This survey revealed the unfortunate fact that so many IT groups are still not changing default passwords when deploying new systems. This should be a standard practice. Default privileged passwords are, in a sense, hidden backdoors onto systems that are deployed on a network," Lieberman said. "Most default passwords are publicly known and easily found online, meaning anyone with malicious intent can use these default credentials to gain anonymous access to systems and applications throughout the enterprise."

The survey also found 32.3 percent of IT security professionals work in organizations that do not have a policy to change default passwords when deploying new hardware, applications and network appliances to the network. Overall, 64.7 percent of respondents said they think that they have more access to sensitive information than colleagues in other departments.

"IT departments that do not have a solution in place to automatically detect, flag and change default privileged passwords on newly deployed systems are neglecting a very common security hole,” Lieberman concluded.